Don't consider copyOf() and clone() in ArrayUpdate

Author: artem-smotrakov

java/ql/src/experimental/semmle/code/java/security/StaticInitializationVectorQuery.qll

@@ -50,12 +50,6 @@ private class ArrayUpdate extends Expr {
       ma.getArgument(2) = array
     )
     or
-    exists(StaticMethodAccess ma |
-      ma.getMethod().hasQualifiedName("java.util", "Arrays", ["copyOf", "copyOfRange"]) and
-      ma = this and
-      ma = array
-    )
-    or
     exists(MethodAccess ma, Method m |
       m = ma.getMethod() and
       ma = this and
@@ -66,10 +60,6 @@ private class ArrayUpdate extends Expr {
       m.hasQualifiedName("java.security", "SecureRandom", "nextBytes") or
       m.hasQualifiedName("java.util", "Random", "nextBytes")
     )
-    or
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      m.getDeclaringType().hasName("byte[]") and m.hasName("clone") and ma = this and ma = array
-    )
   }
 
   /** Returns the updated array. */

java/ql/test/experimental/query-tests/security/CWE-1204/StaticInitializationVector.java

@@ -153,7 +153,8 @@ public byte[] encryptWithRandomIvWithArraysCopy(byte[] key, byte[] plaintext) th
         byte[] randomBytes = new byte[16];
         SecureRandom.getInstanceStrong().nextBytes(randomBytes);
 
-        byte[] iv = Arrays.copyOf(randomBytes, 16);
+        byte[] iv = new byte[16];
+        iv = Arrays.copyOf(randomBytes, 16);
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");